Skip to content

Sophos Protection for Linux logs

Sophos Protection for Linux (SPL) includes extensive logging on the endpoint device that you can use to gather information when troubleshooting and get insight into product operation.

Only logs for licensed products appear on a Linux device.

Log format

Most SPL log entries take on the following format:

<Time since proc start (ms)> [Log time] <LOG LEVEL> [Thread ID] <Logger> <> <Message>

Here's an example:

180688  [2023-09-15T14:17:40.125]    INFO [9263606720] SulDownloaderSDDS3 <> SUS Request was successful

Maximum size and rollover

The rollover behavior isn't configurable. You can't override the number of log files to keep or the maximum file size.

Every SPL log file has a maximum size of 1 MB. When a log file reaches 1 MB, SPL appends a number to the end of the file sequentially, starting with 1, and starts a new log file. SPL saves the last ten occurrences of each log file this way. When SPL reaches the limit of ten, it deletes the oldest file to make room for a new one.

The maximum number of occurences of a log file you'll see is 11. The current log file without a number at the end and the previous ten occurrences. Here's an example:

root@Ubuntu-VM:/opt/sophos-spl/plugins/av/log# ls -la
total 14612
drwx------ 3 sophos-spl-user sophos-spl-group    4096 Jul 10  2023  .
drwx------ 7 sophos-spl-user sophos-spl-group    4096 Jul 10  2023  ..
-rw-rw---- 1 sophos-spl-user sophos-spl-group  932145 Jul 10  2023  av.log
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048748 Jul 10  2023  av.log.1
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048700 Jul 10  2023  av.log.2
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048685 Jul 10  2023  av.log.3
drwx------ 3 sophos-spl-user sophos-spl-group    4096 Jul 10  2023  chroot
-rw-rw---- 1 sophos-spl-user sophos-spl-group  247316 Jul 10  2023  safestore.log
-rw-rw---- 1 sophos-spl-user sophos-spl-group   17812 Jul 10  2023 'Scan Now.log'
-rw-rw---- 1 sophos-spl-user sophos-spl-group   51549 Jul 10  2023  soapd.log
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048720 Jul 10  2023  soapd.log.1
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048621 Jul 10  2023  soapd.log.10
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048598 Jul 10  2023  soapd.log.2
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048693 Jul 10  2023  soapd.log.3
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048675 Jul 10  2023  soapd.log.4
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048677 Jul 10  2023  soapd.log.5
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048770 Jul 10  2023  soapd.log.6
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048577 Jul 10  2023  soapd.log.7
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048658 Jul 10  2023  soapd.log.8
-rw-rw---- 1 sophos-spl-user sophos-spl-group 1048759 Jul 10  2023  soapd.log.9

runtimedetections.log rollover

SPL still saves the last ten occurrences of runtimedetections.log, but the rollover behavior differs from the other log files. When runtimedetections.log reaches 1 MB, SPL appends a time stamp to the end of the file rather than a number. Here's an example:

# ls -l
total 1224
-rw------- 1 sophos-spl-user sophos-spl-group 1049167 May  7 21:04 runtimedetections-2024-05-07T21-04-24.105.log
-rw------- 1 sophos-spl-user sophos-spl-group    6836 May  7 21:04 runtimedetections.log

Log level

The default global log level for SPL is "INFO". You can change the log level of SPL by editing /opt/sophos-spl/base/etc/logger.conf.local and changing the value for VERBOSITY. Valid log levels are as follows:

  • DEBUG
  • SUPPORT
  • INFO
  • WARN
  • ERROR

Note

The log level reverts to "INFO" after SPL updates or restarts.

You can change the log level globally or for each component individually.

To change the log level globally, enter the following text into /opt/sophos-spl/base/etc/logger.conf.local, replacing [LOG_LEVEL] with the log level you want:

[global]
VERBOSITY = [LOG_LEVEL]

To change the log level for individual components, enter the following text into /opt/sophos-spl/base/etc/logger.conf.local, replacing [PROCESS] with the name of the SPL component you want and [LOG_LEVEL] with the log level you want:

[PROCESS]
VERBOSITY = [LOG_LEVEL]

Tip

The keys for most Sophos processes are the names of the executables in lowercase. For example, to change the log level for Updatescheduler, you would use [updatescheduler]. The exceptions to this rule are as follows:

  • mcsrouter: [mcs_router]
  • sophos_managementagent: [managementagent]

Save your changes and restart SPL for the changes to take effect.

Tip

You can find more information in /opt/sophos-spl/base/etc/logger.conf.

Log locations

Base log files

SPL stores the logs for the base components at /opt/sophos-spl/logs. The base components include the watchdog process, updating, telemetry, MCS, and the Sophos Diagnostic Utility (SDU). The base log files are as follows:

Watchdog logs

  • /opt/sophos-spl/logs/base/watchdog.log: Status of SPL processes. For example, exit codes and what has been started by the watchdog process.
  • /opt/sophos-spl/logs/base/wdctl.log: Includes details for requests to stop and start SPL processes.

Updating logs

  • /opt/sophos-spl/logs/base/sophosspl/updatescheduler.log: Logs update details. For example, when an update starts and when it finishes.
  • /opt/sophos-spl/logs/base/suldownloader.log: The main update log. Contains the details about component updates and failures.
  • /opt/sophos-spl/logs/base/suldownloader_sync.log: Includes details about the CDN connections and packages that SPL downloads to the endpoint. This includes information additive to what's in the suldownloader log. You can use this information to help troubleshoot update failures. SPL overwrites this log every time it updates.

Telemetry logs

  • /opt/sophos-spl/logs/base/sophosspl/tscheduler.log: Includes details on previously run telemetry and when it's scheduled to run.
  • /opt/sophos-spl/logs/base/sophosspl/telemetry.log: Includes details on the telemetry gathered from components. Also includes details on any failures.

MCS and management logs

  • /opt/sophos-spl/logs/base/sophosspl/mcsrouter.log: Includes details on communication between the endpoint and Sophos Central.
  • /opt/sophos-spl/logs/base/sophosspl/mcs_envelope.log: The content of the messages provided by MCS.
  • /opt/sophos-spl/logs/base/sophosspl/sophos_managementagent.log: Includes details for what policies and commands MCS applied to the SPL plugins.

Diagnostic tool logs

  • /opt/sophos-spl/logs/base/sophosspl/remote_diagnose.log: Logs remote Sophos Diagnostic Utility (SDU) requests.
  • /opt/sophos-spl/logs/base/diagnose.log: All the items that the SDU collects during the archive creation.

Plugin log files

SPL stores the logs for plugins at /opt/sophos-spl/plugins/<PLUGIN>/log. Each plugin is in a separate directory.

Note

If a log or directory isn't present on your Linux device, ensure you have the appropriate license for that plugin. Only logs for licensed products appear on a Linux device.

The plugin log files are as follows:

AV plugin

  • /opt/sophos-spl/plugins/av/log/av.log: The main log for the AV plugin. It shows most of the important events at a high level.
  • /opt/sophos-spl/plugins/av/log/soapd.log: Includes details on the status of the realtime scanner.
  • /opt/sophos-spl/plugins/av/log/Sophos Cloud Scheduled Scan.log: Includes details on when scheduled scans are triggered.
  • /opt/sophos-spl/plugins/av/log/safestore.log: Includes details about which threats are quarantined. Also shows rescan activity performed on quarantined threats. For example, rescanning when you add a new file to allowed applications.
  • /opt/sophos-spl/plugins/av/chroot/log/sophos_threat_detector.log: This log shows the status of the threat scanner process. This process performs the scans when requested by other processes such as realtime scanning, the scheduled scanner, or the command line scanner.
  • /opt/sophos-spl/plugins/av/chroot/log/susi_debug.log: Includes low-level debug information related to the AV plugin. For example, the reason the AV scanner can't scan a file.

Device isolation plugin

  • /opt/sophos-spl/plugins/deviceisolation/log/deviceisolation.log: Includes details about device isolation triggered from Sophos Central.

EDR plugin

  • /opt/sophos-spl/plugins/edr/log/edr.log: The main log for the EDR (Live Query) plugin. It shows information regarding Live Query policy and the status of osquery and Sophos extensions.
  • /opt/sophos-spl/plugins/edr/log/livequery.log: Includes details about the Live Queries triggered in Sophos Central and run on the endpoint.
  • /opt/sophos-spl/plugins/edr/log/scheduledquery.log: Includes information on all the scheduled queries and when they run.
  • /opt/sophos-spl/plugins/edr/log/edr_osquery.log: This is only populated when EDR is in DEBUG mode. When in DEBUG mode, this log contains the debug output of the osquery process.

Event journaler plugin

  • /opt/sophos-spl/plugins/eventjournaler/log/eventjournaler.log: The status of the Event Journaler plugin. Includes its status for receiving events from the AV or RTD plugins.

Response actions plugin

  • /opt/sophos-spl/plugins/responseactions/log/responseactions.log: Status of the Response Action plugin. Any actions to run are logged here before being run.
  • /opt/sophos-spl/plugins/responseactions/log/actionrunner.log: Includes details on the status of response actions (commands, upload, downloads) and if there are issues when running a response action.

Runtime detections (RTD) plugin

  • /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log: Details on the status of the RTD plugin, including policies it has loaded and if there have been any detections.

Live response plugin

  • /opt/sophos-spl/plugins/liveresponse/log/liveresponse.log: Includes details on the status of the Live Response plugin and any live Terminal sessions.
  • /opt/sophos-spl/plugins/liveresponse/log/sessions.log: Includes details for each individual Live Response session. For example, the session ID and URL visited.

Other log paths

You can find logs for product downgrade and installation at the following locations:

  • /opt/sophos-spl/logs/base/downgrade-backup/downgrade-backup/: This directory contains any logs backed up during a product downgrade.
  • /opt/sophos-spl/logs/installation/: This directory contains verbose installation logs.

Sophos Diagnostic Utility

The SDU gathers all logs from the SPL agent, all plugins, and the audit logs.

Run the command:

/opt/sophos-spl/bin/sophos_diagnose

This outputs a .tar.gz file to the current working directory.

To specify where the SDU creates the diagnostic output file, run the command with the directory you want as the first argument. For example, to output the diagnostic log collection to /tmp, run the following command:

/opt/sophos-spl/bin/sophos_diagnose /tmp

Tip

You can also run the SDU remotely from Sophos Central. See Diagnose.

SPL logs in Sophos Central

The logging on the endpoint device offers more detail than the logging that appears in Sophos Central. The Events tab in a server's details page lets you see events on the server. See Server Events.

Some of the events you can see are as follows:

  • Updating events
  • Malware and PUA detections
  • Malware and PUA cleanup
  • On-demand scan results

Tip

You can also see events on the Alerts page. See Alerts.